PatchSiren cyber security CVE debrief
CVE-2026-8205 Concrete CMS CVE debrief
CVE-2026-8205 is a Medium-severity authorization bypass in Concrete CMS Calendar Block handling. According to the CVE and NVD record, action_get_events does not check canView on the calendar, which can disclose restricted event details. The issue was published on 2026-05-21 and is not listed as a known CISA KEV item in the supplied data.
- Vendor
- Concrete CMS
- Product
- Unknown
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Concrete CMS site owners, administrators, and security teams should care most if they use the Calendar Block or rely on calendar permissions to hide event details. Sites that expose calendar content to different user groups should treat this as a confidentiality issue and verify whether restricted events could be viewed without authorization.
Technical summary
The vulnerability affects Concrete CMS 9.5.0 and below. The NVD record and CVE description indicate that the Calendar Block's action_get_events path fails to enforce a canView authorization check, allowing restricted event details to be disclosed. NVD maps the issue to CWE-425 and assigns CVSS v4.0 6.3 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
Defensive priority
Medium priority. Because the flaw is network-reachable and requires no user interaction or privileges, teams using Concrete CMS calendar features should review and remediate promptly, especially where event confidentiality matters.
Recommended defensive actions
- Review whether your Concrete CMS deployment uses the Calendar Block on affected versions (9.5.0 and below).
- Apply the vendor-recommended remediation referenced in the Concrete CMS 9.5.1 release notes.
- Verify that calendar permissions and access controls still prevent restricted event details from being exposed.
- Check logs and application behavior for unexpected access to calendar event data.
- If calendar data was exposed, assess which events and user groups may have been affected and rotate or reclassify sensitive content as needed.
Evidence notes
The supplied CVE description states that Concrete CMS 9.5.0 and below are vulnerable because action_get_events does not check canView on the calendar, resulting in restricted event details being disclosed. The NVD record provides the CVSS v4.0 vector and lists CWE-425 as a secondary weakness. NVD also references the Concrete CMS 9.5.1 release notes as the vendor source in the supplied corpus.
Official resources
-
CVE-2026-8205 CVE record
CVE.org
-
CVE-2026-8205 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff5b8ace-8b95-4078-9743-eac1ca5451de
CVE published and sourced on 2026-05-21. This debrief uses the CVE/NVD publication timeline provided in the corpus and does not infer any earlier issue date.